github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

Correctly escape sort-by columns in SQL (refs #189)

Browse source
This commit is contained in:
Simon Willison 2018-04-08 19:25:14 -07:00
commit afd24ef58c
No known key found for this signature in database
GPG key ID: 17E2DEA2588B7F52
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
datasette/app.py
View file

@ -616,10 +616,10 @@ class TableView(RowTableShared):
# Allow for custom sort order
sort = special_args.get('_sort')
if sort:
order_by = sort
order_by = escape_sqlite(sort)
sort_desc = special_args.get('_sort_desc')
if sort_desc:
order_by = '{} desc'.format(sort_desc)
order_by = '{} desc'.format(escape_sqlite(sort_desc))
count_sql = 'select count(*) from {table_name} {where}'.format(
table_name=escape_sqlite(table),